[00:00.000 --> 00:06.460]  Good to support the village. I'm really glad to see that DEF CON continued on this year.
[00:06.460 --> 00:11.480]  I think it was a great idea. You know, there's a lot of people that don't always get to make it out to DEF CON.
[00:11.480 --> 00:16.320]  And so, you know, people get a little taste of what it's like. They missed the human interaction part.
[00:16.320 --> 00:19.740]  But I would bet it's going to be back even bigger and stronger next year.
[00:19.740 --> 00:26.200]  But thanks to Omar and Joseph for continuing this on as well as DEF CON in general.
[00:26.780 --> 00:30.200]  So I'm happy to present my new talk here today.
[00:30.440 --> 00:33.220]  I have a talk that I do, the Pentester Blueprint.
[00:33.680 --> 00:36.340]  And it's basically a talk on becoming a Pentester.
[00:36.680 --> 00:40.700]  And so I came up with something more Red Team related.
[00:41.640 --> 00:47.040]  Because there's a lot of confusion between what true Red Team is and Pentesting.
[00:47.080 --> 00:53.400]  So who am I? I'm Phillip Wiley. I have my CISSP, OSCP, and the SANS GWAPT cert.
[00:53.400 --> 00:57.320]  I'm a senior lead at a global consumer products company.
[00:57.580 --> 01:02.240]  I'm also an adjunct professor at Dallas College, formerly Richland College.
[01:02.260 --> 01:16.400]  I'm the founder of the Pwn School Project, which is a monthly, now virtual, meetup that teaches cybersecurity techniques as well as a big focus on stuff offensive security.
[01:16.400 --> 01:18.620]  So a lot of our talks are geared towards that.
[01:19.180 --> 01:22.520]  Even some good talks on SOX and other areas of security.
[01:22.520 --> 01:27.080]  I've been in technology and InfoSec for over 22 years.
[01:27.840 --> 01:30.600]  2004 is when I got my start into security.
[01:30.880 --> 01:33.360]  The last eight years I've spent Pentesting.
[01:33.360 --> 01:35.780]  First five years I was a consultant.
[01:36.060 --> 01:40.240]  I was featured in the book, The Tribe of Hackers, Red Team book edition.
[01:40.320 --> 01:44.280]  So those are some really great books by Marcus Carey and Jennifer Jin.
[01:44.640 --> 01:47.800]  Really good for those getting started out, but I recommend it for anyone else.
[01:47.800 --> 01:51.080]  It's advice from industry professionals on different topics.
[01:51.080 --> 01:56.640]  There's The Red Team. There's The First Tribe of Hackers. It's across all spectrums of security.
[01:57.000 --> 02:00.480]  And then there's the leadership book out.
[02:00.820 --> 02:06.420]  I'm also the co-author of The Pentester Blueprint, Starting a Career in Ethical Hacking.
[02:06.500 --> 02:11.940]  I took my talk, The Pentester Blueprint, and decided to make a book.
[02:11.940 --> 02:16.660]  And I teamed up with Kim Crowley to help me make that a reality.
[02:16.660 --> 02:20.140]  So that should be coming out late fall or so.
[02:20.140 --> 02:25.480]  And I'm also a co-host of the Uncommon Journey podcast with Chloe Mostogian and Alyssa Miller.
[02:27.840 --> 02:35.200]  So the agenda. During this talk, I'm going to describe my path into offensive security.
[02:35.200 --> 02:38.460]  Because a lot of people that attend these talks are trying to get into it.
[02:38.460 --> 02:44.020]  There's not a lot of... you have to look out there to find good information on how to get into certain areas of security.
[02:44.020 --> 02:46.820]  And there's not a lot of stuff on offensive security.
[02:46.820 --> 02:52.280]  So continuing on in the spirit of the Pentester Blueprint talk,
[02:52.280 --> 02:59.700]  I've kind of extended that on to offensive security in general with this talk being more focused on red teaming.
[02:59.700 --> 03:09.300]  We're going to discuss what offensive security is, the different domains, a red team intro, red team tools, a red team blueprint,
[03:09.300 --> 03:15.040]  as well as some other educational resources and books out there and blogs.
[03:15.560 --> 03:20.960]  So my offensive security path is kind of an unusual one. I started out as a pro wrestler.
[03:20.960 --> 03:25.280]  I graduated high school and my friends asked me, what are you going to do for a career?
[03:25.280 --> 03:32.240]  And I did not have a clue. I mean, really college wasn't in the plans for me and I didn't know what I was going to do.
[03:32.240 --> 03:36.260]  I was a power lifter and my friends said, hey, you're a big guy. You should be a pro wrestler.
[03:36.260 --> 03:39.420]  So I went to wrestling school and I wrestled for a few years.
[03:39.420 --> 03:47.540]  And I got out in the late 80s due to needing a more stable career since I got married.
[03:47.540 --> 03:52.020]  So I was married and needed a stable career for my wife and future family.
[03:53.560 --> 04:02.500]  When I did that, you know, just having, you know, working through other areas of manual labor and retail sales,
[04:02.500 --> 04:07.000]  I saw an ad on TV for a trade school that taught AutoCAD.
[04:07.000 --> 04:11.520]  So I went to school to be a CAD draftsman and there's where things really started to take off.
[04:12.580 --> 04:20.140]  I learned about sysadmin work because I was working in offices and we had a network administrator,
[04:20.180 --> 04:25.180]  a system administrator come in one time to work on our systems and found out that, you know,
[04:25.180 --> 04:28.600]  this guy was making more money than I was and what he did looked a lot more interesting.
[04:28.600 --> 04:34.820]  I taught myself how to build computers, took a Nobel network class that used to be the popular network operating system
[04:34.820 --> 04:39.640]  before Microsoft really took off with their directory services.
[04:40.140 --> 04:44.040]  So from there I moved into InfoSec and then AppSec.
[04:44.040 --> 04:49.300]  And AppSec is really where I kind of found out about pen testing and offensive security,
[04:49.300 --> 04:52.220]  learning how to use web application vulnerability scanners,
[04:52.220 --> 04:57.180]  going to some different vendor talks on their tools and stuff got me interested in pen testing.
[04:57.280 --> 05:03.600]  So in 2012, I got laid off from my job of 14 years at a mortgage company
[05:03.600 --> 05:07.820]  and then I went to work as a consultant working in pen testing.
[05:07.820 --> 05:13.380]  I did that for five years and then got out of consulting and moved more into the corporate world.
[05:13.840 --> 05:16.880]  And then back in November, I moved into red teaming.
[05:18.740 --> 05:23.160]  So this is a slide I share every semester during all these conference talks
[05:23.160 --> 05:28.100]  because, you know, only hack if you have permission, even better written permission.
[05:28.100 --> 05:30.120]  Hacking without permission is illegal.
[05:30.120 --> 05:34.420]  So as long as you have permission, you're good.
[05:34.420 --> 05:43.720]  But, you know, you don't want to get in any trouble because if you get any kind of criminal record,
[05:43.720 --> 05:48.820]  then it kind of makes it hard to work in any area of IT and especially something like offensive security.
[05:49.220 --> 05:52.980]  So I like this quote. I first learned about it from Spider-Man.
[05:52.980 --> 05:55.700]  With great power comes great responsibility.
[05:56.900 --> 05:59.040]  So what is offensive security?
[05:59.040 --> 06:05.120]  So offensive security is kind of a broad generalization of different types of ethical hacking.
[06:05.120 --> 06:11.880]  So it's assessing security of a target using adversary tactics, techniques, and procedures or TTPs,
[06:11.880 --> 06:14.180]  commonly known as ethical hacking.
[06:15.000 --> 06:21.960]  So some of the different domains in offensive security, two main categories is pen testing and red teaming.
[06:21.960 --> 06:26.940]  You can see different areas in pen testing that are covered.
[06:27.100 --> 06:37.100]  Network, application, network including wireless, cloud, social engineering, physical security, hardware, and vehicle security can be tested through pen testing.
[06:37.380 --> 06:39.880]  Red teaming is kind of more of a specialized area.
[06:40.240 --> 06:43.400]  You're getting into more adversarial type simulations.
[06:44.020 --> 06:46.320]  But there's been a lot of confusion.
[06:46.540 --> 06:51.080]  So red teaming, red team engagement is not a pen test. It's not the same thing.
[06:51.080 --> 06:54.720]  They've been used interchangeably, pen testing and red team for years.
[06:54.720 --> 07:00.380]  It's a way to generalize, kind of the same way the blue team generalizes the defensive side.
[07:00.380 --> 07:05.440]  Even on the defensive side, all blue team is not the same. There's a lot of differences.
[07:05.800 --> 07:10.360]  But red team, a lot of people have confused and think that red teaming in general, that it's all the same, but it's not.
[07:10.360 --> 07:12.920]  So there are some distinct differences.
[07:13.960 --> 07:19.260]  Some of the commonalities, these similarities between the two areas.
[07:19.520 --> 07:25.080]  They're both forms of pen testing or forms of defensive security.
[07:25.240 --> 07:32.920]  Exploitation, social engineering, phishing, and physical security exploitation are used on both of these.
[07:32.920 --> 07:34.520]  Sometimes not everything.
[07:34.520 --> 07:42.900]  With your pen testing, a lot of times only social engineering, phishing, or physical security exploitation is not part of it.
[07:42.900 --> 07:49.380]  Unless it's specifically built into the statement of work, the rules of engagement.
[07:51.740 --> 07:54.200]  There are some differences there too.
[07:54.200 --> 08:01.020]  With red teaming, you're emulating a threat actor, an APT, an advanced persistent threat.
[08:01.060 --> 08:06.420]  With pen testing, you're using some of those techniques, but you're not emulating a threat actor.
[08:06.420 --> 08:08.400]  You're just using some of those techniques.
[08:08.400 --> 08:10.740]  In red teaming, you're trying to avoid detection.
[08:10.740 --> 08:16.080]  With pen testing, it's a time box test. You're limited to the amount of time you have to test.
[08:16.160 --> 08:20.240]  So you don't have time to go low and slow to try to avoid being detected.
[08:20.580 --> 08:27.920]  And due to the time constraints, you're using vulnerability scanners and doing a lot of port and service scanning, which makes it more loud.
[08:27.920 --> 08:30.860]  So you're not really avoiding detection.
[08:30.860 --> 08:36.220]  Sometimes it can be part of a statement of work, but usually this gets more into your red teaming.
[08:36.440 --> 08:38.700]  Red teaming is less restrictive.
[08:38.700 --> 08:46.220]  There's more areas you can, in most cases, social engineering, phishing are part of it, part of the scope.
[08:46.620 --> 08:48.640]  With the pen testing, it's more limited.
[08:48.640 --> 08:56.300]  With PCI, when PCI came out, a lot of the pen tests and PCI has drove a lot of pen testing requirements.
[08:56.440 --> 09:01.240]  To be PCI compliant, you know, it's a requirement to be pen tested.
[09:01.240 --> 09:06.880]  So a lot of the focus has been on just what is needed to be compliant and not overall security.
[09:06.880 --> 09:08.020]  So some things get missed.
[09:08.820 --> 09:10.960]  And that's kind of carried on throughout the pen test.
[09:11.140 --> 09:13.980]  There's a certain area that they want to be tested.
[09:14.480 --> 09:16.800]  Sometimes it's not a lot of time to plan it out.
[09:17.960 --> 09:20.500]  Budget constraints, they just want to get it done quickly.
[09:20.620 --> 09:23.660]  And with pen testing, vulnerability is the focus.
[09:24.080 --> 09:29.740]  Whereas with red teaming, you're trying to simulate an actual attacker or cyber criminal.
[09:31.000 --> 09:32.820]  And there's a lot of tool commonalities.
[09:32.820 --> 09:37.200]  If you look at the list of tools here, you see everything is pretty much the same.
[09:37.200 --> 09:40.540]  There are some variants and some things that are not on this list.
[09:40.540 --> 09:42.600]  But the common tools are listed here.
[09:42.700 --> 09:45.660]  With pen testing, you're using vulnerability scanners.
[09:45.860 --> 09:50.420]  Red teaming, you know, if you're using a vulnerability scanner, you're going to cause noise.
[09:50.420 --> 09:51.960]  You know, you want to be quiet.
[09:52.620 --> 09:54.860]  Metasploit can be used across both of those.
[09:55.300 --> 10:00.620]  And also you see malware and exploits used across both.
[10:00.620 --> 10:07.540]  But red teaming, it's more heavily depended on to get the footholds using malware, do phishing campaigns.
[10:07.540 --> 10:14.960]  Command and control is done both, and useful in both, but a lot more heavily relied on for red teaming.
[10:17.850 --> 10:23.350]  And so here's kind of a little red introduction on red teaming.
[10:23.350 --> 10:29.710]  Red teaming is scenario-based assessment, emulating threat actors, and even simulating specific APTs.
[10:29.710 --> 10:34.930]  You can go through like the MITRE ATT&CK framework and pick out specific APTs to mimic.
[10:35.050 --> 10:38.610]  The goal of red team operation is to simulate real-world breaches.
[10:38.670 --> 10:44.590]  Not only is this operator testing the security of technology, they're testing the people in the process.
[10:45.150 --> 10:49.890]  A great quote from Dwyer Fald, the founder of Dallas Hackers Association,
[10:49.890 --> 10:51.530]  is the red team tests the blue team.
[10:51.530 --> 10:54.070]  And this is a good way to describe that.
[10:54.150 --> 10:57.110]  When you're doing a pen test, you're really not testing the people.
[10:57.110 --> 11:00.910]  You're testing the security controls and the technology.
[11:01.170 --> 11:08.510]  With red teaming, you're testing the reactions of the defenders, as well as any of the systems being detected.
[11:08.830 --> 11:14.550]  During a pen test, things can be detected, and usually, unless it's built in to block it, you're not going to get blocked.
[11:14.550 --> 11:16.470]  They're going to let you complete the pen test.
[11:19.460 --> 11:23.420]  And red team operations take a lot of time to plan and perform.
[11:23.420 --> 11:29.280]  So you're trying to go and plan a specific scenario, a certain type of APT.
[11:29.280 --> 11:31.260]  You're trying to imitate.
[11:31.260 --> 11:33.980]  So you're taking the time to plan this out, to perform it.
[11:33.980 --> 11:36.100]  And usually, you've got more time.
[11:36.400 --> 11:42.080]  A pen test, not to say it's a thorough pen test, but a lot of times, a pen test may be a week.
[11:42.640 --> 11:46.800]  Like a red team engagement could be four weeks or it could be months.
[11:46.800 --> 11:51.060]  So it depends on the scenario you're trying to imitate.
[11:51.060 --> 11:57.700]  And so red team operations rely heavily on OSINT to enumerate information on target technologies and employees.
[11:57.960 --> 12:03.840]  This is leveraged through social engineering and phishing to gain initial foothold in the target environment.
[12:04.120 --> 12:10.160]  You can also do like an assumed breach and use accounts.
[12:10.160 --> 12:22.560]  But this is a good way to see how easy it is to get past people, the process and technology by using phishing campaigns,
[12:22.560 --> 12:31.100]  sending malicious payloads to end users or compromising a site and putting payloads in there to gain access to the systems.
[12:31.220 --> 12:35.480]  Detection avoidance is very important for red team to be successful.
[12:35.480 --> 12:37.680]  Because part of this is they're trying to stop you.
[12:37.680 --> 12:42.200]  They may see something going on and they're going to let you finish the pen test.
[12:42.200 --> 12:49.040]  During a red team engagement, usually the people you're testing, they don't know about the pen test.
[12:49.040 --> 12:53.560]  It's not announced. Usually management and a few key people know what's going on.
[12:53.560 --> 13:06.060]  So in case the defenders detect this, they can report it and it can be treated internally to look like a normal breach to see how everyone reacts to it during the exercise.
[13:06.060 --> 13:10.280]  So that's important to stay undetected.
[13:12.920 --> 13:19.360]  Red team TTPs, red team operations a lot of malware payloads to gain initial footholds.
[13:19.560 --> 13:25.920]  So being able to evade and obfuscate your code for your malware and exploits is very important.
[13:26.000 --> 13:34.560]  A lot of times to get it to work in a pen testing role, you have to work on obfuscating your code because PowerShell is getting more detected.
[13:34.560 --> 13:44.100]  Although some environments it's not. So as a practitioner, keep trying. People will say this is not environments anymore. It still will be.
[13:44.100 --> 13:53.040]  I mean, I've performed pen tests as recent as the end of 2018 where Windows XP was in a company, a Fortune 100 company.
[13:53.040 --> 13:59.140]  So that stuff's still out there and not everyone's blocking PowerShell, but it's becoming more often blocked.
[13:59.140 --> 14:03.840]  So some of the skills that you'll need to work on is really working on the evasion and obfuscation.
[14:03.840 --> 14:13.860]  Command and Control or C2 is a very important tool used to compromise systems, deliver payloads, elevate privileges, lateral movement, and use for persistence.
[14:13.900 --> 14:20.580]  Cobalt Strike is a very popular command and control as well as there's some other ones out there, Silent Trinity, Covenant.
[14:23.180 --> 14:32.020]  And actually Team Ares from Critical Start came out with Domidios, which is a new C2 that's built on Go.
[14:32.020 --> 14:40.060]  So it looks really promising, a new one out there and recently was added to the C2 matrix.
[14:42.400 --> 14:46.780]  And Red Team Ops Planning, so as we mentioned, there's more planning that goes into this.
[14:46.780 --> 14:52.920]  It can be more detailed, so you can map the APTs from the MITRE ATT&CK framework and use tools like Vector.
[14:53.320 --> 14:58.660]  Vector is a pretty cool tool I learned about from George Ochia's talks.
[14:58.660 --> 15:01.740]  He does a lot of great talks on red teaming and purple teaming.
[15:01.760 --> 15:05.160]  He currently works for Scythe, so he's a SANS instructor.
[15:05.160 --> 15:11.200]  He teaches the SANS Red Team course, so keep an eye out for his videos.
[15:11.200 --> 15:21.160]  This Vector tool is a framework that you can plan out your scenarios for your Red Team engagements.
[15:21.160 --> 15:26.120]  So you can go through and map out the APTs that it's pulling from the MITRE ATT&CK framework.
[15:26.600 --> 15:33.960]  And so Red Team Ops can also be less complicated and not map to specific APTs, just using common TTPs.
[15:33.960 --> 15:41.060]  And as your program starts out, it may not take really advanced attacks to be able to compromise systems.
[15:41.500 --> 15:44.200]  You know, it's kind of like offensive security in general.
[15:44.220 --> 15:50.200]  You want to make sure that you've got your vulnerability scanning program, your vulnerability management solid in place.
[15:50.560 --> 15:57.260]  You know, before you include it with pen testing, but you really want to get that in place and working on that.
[15:57.260 --> 16:07.280]  As you get to more open scope pen tests and Red Team engagements where more things are in scope and can be exploited,
[16:07.280 --> 16:13.140]  then, you know, as you become more mature, then you'll need to emulate more advanced attacks.
[16:13.140 --> 16:23.000]  So starting out, you may not have to be as complicated, but as you're going along, you can become more complicated and detailed in your attacks.
[16:23.000 --> 16:30.400]  And using the tools like the MITRE ATT&CK framework and Vector to map those out are great options.
[16:33.150 --> 16:35.630]  There are some additional Red Team benefits here.
[16:35.630 --> 16:39.510]  So a major benefit of Red Team is testing the people process and technology.
[16:39.710 --> 16:50.070]  So during the operation, if activities are not detected, then the Red Team can work with the security team to tune the security defenses to be able to detect malicious activity.
[16:50.070 --> 17:01.450]  This can be extended to Purple Teaming engagements or activities where you just work with the Blue Team to tune their systems to detect different types of exploits.
[17:01.450 --> 17:11.070]  So during your testing, if PowerShell is not being detected, if Mimikatz is not being detected, then you can, you know, kind of do a Purple Team activity,
[17:11.070 --> 17:16.730]  just kind of working with your Blue Team as you launch specific attacks.
[17:16.790 --> 17:25.170]  See if they detect it and help them to work on detecting those systems where you can build signatures to detect those vulnerabilities.
[17:29.010 --> 17:38.270]  And so in the spirit of the Pentester Blueprint, I'm kind of going to go into some details on here on how to become a Red Team operator.
[17:38.270 --> 17:49.450]  So, you know, basically Red Team operator is a Pentester. You're getting more specialized, going more into adversarial simulation.
[17:49.450 --> 17:56.490]  But you have to start, you need a base, the base starting out. So your base, you need to understand technology.
[17:56.490 --> 18:02.810]  So if you're jumping in this from nothing, then you're going to have to build these technologies.
[18:02.810 --> 18:10.810]  You have to understand networking and operating systems and Active Directory that you're performing Pentest against some of these networks and Red Team engagements.
[18:10.850 --> 18:21.050]  Because Active Directory is Microsoft's directory services where all the users and different computer objects and security settings are set in Active Directory.
[18:21.050 --> 18:25.470]  You get access to that, you can breach a lot of things, compromise on a large scale.
[18:25.470 --> 18:30.830]  I mean, the way to look at it is kind of like a single sign-on type of solution using LDAP.
[18:30.830 --> 18:37.230]  So you're able to, if you're able to compromise Active Directory, then you can get access to anything in the environment.
[18:37.690 --> 18:47.710]  So understand, you have to understand this technology. So understanding networking, understanding operations, operating systems from a, you know, a system administrator perspective.
[18:47.710 --> 18:56.430]  You need to be able to start and stop services, you know, disable firewalls, enable services, and that sort of thing during a Pentest.
[18:56.430 --> 19:04.610]  So if you gain a shelter system or command line access, then the more you understand the command line, the more things you can do, the more effective you can be.
[19:04.610 --> 19:06.430]  And you've got to understand networking.
[19:07.310 --> 19:16.010]  And Pentesting hacking, so you have to understand the different tools and techniques that penetration testers and hackers use.
[19:16.170 --> 19:20.990]  So you have to have those because, you know, hacking is part of being a Red Teamer.
[19:20.990 --> 19:28.890]  That's part of the job. It's kind of an extension or more advanced form of Pentesting.
[19:28.930 --> 19:31.830]  And so programming and scripting can be very important.
[19:32.070 --> 19:38.730]  Some of the best hackers I know can program. They can write their own code or they can write their own scripts.
[19:39.450 --> 19:43.690]  So popular ones out there are Python and PowerShell.
[19:43.690 --> 19:58.470]  From a Red Teamer or Pentester perspective, you know, knowing how to use PowerShell using some of the tools like PowerShell, Empire, and some of the different exploitation tools out there in command and control is very important.
[19:58.470 --> 20:02.670]  So you don't necessarily have to know how to write PowerShell, although it's good.
[20:03.050 --> 20:08.370]  Tools like Python and Golang can be used across multiple platforms.
[20:08.450 --> 20:10.690]  Python has been very popular for years.
[20:10.690 --> 20:14.570]  It allows you to write tools pretty quickly, modify tools.
[20:14.690 --> 20:25.950]  And from programming scripting perspective, at first you need to really be able to, you know, modify exploit code, be able to look at Python code and be able to alter that to fit.
[20:25.950 --> 20:31.190]  Maybe you find some exploit code and there's something different about that system that you need to modify.
[20:31.190 --> 20:36.290]  So just understanding how to modify exploits is important. It's a good starting step.
[20:36.290 --> 20:41.430]  But be able to write Python scripts. Golang is a very new popular one.
[20:41.910 --> 20:45.890]  I guess it's been out five or six years or so, maybe longer, eight years.
[20:45.890 --> 20:48.830]  But it's a really good one because it's also a compiled language.
[20:48.830 --> 20:51.810]  It can run across multiple platforms.
[20:51.810 --> 21:00.090]  The thing I really like about it too is you can compile code on a Linux or Mac system to run on Windows.
[21:00.090 --> 21:02.130]  So this is kind of nice.
[21:02.130 --> 21:11.390]  Some of your exploits, if you're doing a pen test, then you need a similar system with Linux to be able to compile your exploit code.
[21:11.490 --> 21:14.210]  A similar system or compile it on that system.
[21:14.210 --> 21:18.590]  With this, you can easily compile it on your own system.
[21:18.730 --> 21:24.490]  And this C Sharp is a very popular one for pen testing.
[21:24.610 --> 21:29.530]  Some of the PowerShell started getting detected and people moved on to C Sharp.
[21:29.530 --> 21:32.750]  There's a lot of good tools out there with C Sharp.
[21:32.750 --> 21:37.290]  A lot of the tools are kind of going away from PowerShell more towards C Sharp.
[21:37.290 --> 21:41.230]  So understand these tools. You'll write your own tools and it'll make you a lot better hacker.
[21:42.870 --> 21:50.290]  So yeah, just be able to do that makes, like I said, some of the best hackers I know and red teamers know how to write their own code.
[21:50.290 --> 21:52.630]  I mean, you stop and look at some of the tools out there.
[21:52.750 --> 21:58.710]  Harmjoy, for instance, from Spectrops, he's a prime example of someone that writes tools and he's a red teamer.
[21:58.710 --> 22:04.930]  So I mean, this goes to show you, you look at a lot of these high level pen testers and red teamers.
[22:04.930 --> 22:07.010]  They're writing exploits and they're writing tools.
[22:07.010 --> 22:11.670]  So if you really want to do well, then that's an area to focus on.
[22:15.210 --> 22:17.670]  So red team focus skills.
[22:17.670 --> 22:21.730]  So malware and exploit development, where these are also important in pen testing.
[22:21.850 --> 22:27.010]  Really working on obfuscating and be able to evade systems.
[22:27.010 --> 22:31.810]  With your PowerShell code or C sharp or any language you're writing and be able to obfuscate.
[22:31.810 --> 22:37.370]  Sometimes there's written tools out there and you can use different tools to obfuscate.
[22:37.550 --> 22:41.450]  Or going to manually modify yourself to try to take some of the headers out and signatures.
[22:41.450 --> 22:43.490]  So it's not as easily detectable.
[22:43.490 --> 22:49.970]  Sometimes it could just be the name of the developer of the tool that the system's picking up or the name of the tool in the system.
[22:49.970 --> 22:53.590]  So just be able to modify your code where it's not being detected.
[22:54.390 --> 22:56.210]  Active directory exploitation.
[22:56.210 --> 23:04.810]  Understanding active directory is not enough, but understanding active directory and knowing how to exploit it is very important in red teaming.
[23:04.810 --> 23:08.350]  And command and control. So command and control is a very important tool.
[23:08.910 --> 23:12.990]  It allows you to send payloads to your systems.
[23:12.990 --> 23:16.050]  Once you get a system compromised, you get access to it.
[23:16.050 --> 23:22.230]  Then you can do lateral movements, going to other computers, other accounts, try to escalate privileges.
[23:22.230 --> 23:28.250]  And help you maintain persistence, maintain control over the systems that you exploit.
[23:28.410 --> 23:33.370]  In phishing and social engineering, these are two very helpful tools.
[23:33.370 --> 23:40.150]  Because in a lot of cases, maybe their systems are pretty secure as far as trying to crack passwords.
[23:40.150 --> 23:47.170]  Or if you're doing a Zoom breach and you're on that network and maybe you're not able to crack hashes.
[23:47.170 --> 23:54.970]  So if you can send malware through email, through phishing campaigns, then that's a way to get initial foothold.
[23:55.150 --> 23:58.850]  Social engineering to get people to execute that code.
[23:59.050 --> 24:02.410]  Physical security exploits. Gaining access to the buildings.
[24:02.610 --> 24:08.330]  Getting past security into the server rooms or different areas to be able to pull off your exploits.
[24:13.260 --> 24:18.040]  And here's kind of a learning path to follow for gaining these skills.
[24:18.040 --> 24:22.520]  Kind of a good baseline or a good place to start.
[24:22.520 --> 24:26.040]  And this is assuming that you've got an IT background.
[24:26.660 --> 24:28.900]  You've got to learn the hacking skills.
[24:29.780 --> 24:38.300]  Certification courses like the OSCP, Hack the Box are really good to build those skills.
[24:38.300 --> 24:40.260]  Learning social engineering.
[24:40.260 --> 24:46.860]  But the OSCP is a really good one because you've got to get those hacking skills before you really get into the red teaming.
[24:47.140 --> 24:49.580]  So you need to be a good hacker.
[24:49.580 --> 24:57.400]  So there's other courses out there like eLearn Security where a lot of those other courses really focus on pen testing.
[24:57.400 --> 24:59.420]  Which pen testing and hacking is similar.
[24:59.440 --> 25:03.940]  With the OSCP there is a big focus on hacking skills.
[25:03.940 --> 25:13.620]  And with some of the newer content of the OSCP, they've kind of went more in the direction of adding more pen testing content.
[25:13.620 --> 25:19.860]  Whereas before it was mainly just a really great hacking course.
[25:19.860 --> 25:24.180]  And kind of teaching kind of the way pen testing used to be.
[25:24.200 --> 25:32.680]  But a good path is once you get the skill set of someone with OSCP, then you can start working on the red teaming skills.
[25:32.680 --> 25:34.300]  And this is something you can work on hand in hand.
[25:34.300 --> 25:37.600]  Because your red teaming skills, you're going to be working on Active Directory.
[25:37.740 --> 25:41.700]  So there's some courses out there that are really good for red teaming.
[25:41.860 --> 25:45.920]  And Pentester Academy's Red Team Labs is a good resource.
[25:45.920 --> 25:48.180]  They have Active Directory in their labs.
[25:48.180 --> 25:49.980]  So they've got different levels.
[25:50.100 --> 25:54.100]  But they even have like a red team certification.
[25:54.100 --> 26:04.040]  They have labs where you're using Linux to exploit Windows systems as well as Windows systems to perform the same similar labs.
[26:04.040 --> 26:09.140]  Learning how to use PowerShell exploits during that to compromise systems.
[26:09.140 --> 26:18.940]  And then eLearn Security, their Pen Testing Extreme course is labeled Pen Testing Extreme, but it's a red team course.
[26:18.940 --> 26:21.040]  It teaches red teaming techniques.
[26:21.040 --> 26:29.840]  They teach you exploit development, code obfuscation, and some other techniques that are important for red teaming.
[26:29.940 --> 26:35.420]  Hack the Box Pro, Rasta Labs, this is a really great, good one to learn.
[26:35.420 --> 26:42.200]  And it's kind of inspired Rasta Mouse to start the Zero Point Security Red Team Ops course.
[26:42.200 --> 26:43.520]  I'm actually going through that.
[26:43.520 --> 26:48.400]  And if they actually have a certification with that, I'm currently going through that at the moment.
[26:48.420 --> 26:49.900]  And it's a really good course.
[26:49.900 --> 26:53.740]  I mean, it's even set up to where you can send phishing emails in that environment.
[26:55.040 --> 27:00.000]  And so some different tools and resources for red teaming.
[27:00.000 --> 27:08.680]  So your APT planning, as mentioned, the MITRE ATT&CK Framework, Vector, there's the URLs for those resources.
[27:08.880 --> 27:10.200]  Those are really good to know.
[27:10.200 --> 27:15.140]  Just getting out there and learning how a threat actor's mind works.
[27:15.140 --> 27:19.700]  Getting that threat actor mindset through tools like the MITRE ATT&CK Framework.
[27:19.700 --> 27:21.680]  Learning how those TTPs work.
[27:21.880 --> 27:23.720]  You get to see some of the common attacks.
[27:23.720 --> 27:25.340]  And this is a great resource for defenders.
[27:25.340 --> 27:27.740]  It's being widely used by defenders.
[27:28.060 --> 27:30.340]  Command and Control, the C2 Matrix.
[27:31.960 --> 27:35.280]  You can find that at the C2Matrix.com.
[27:35.560 --> 27:37.420]  Cobalt Strike is one of the more popular ones.
[27:37.420 --> 27:39.060]  One of the first command and control.
[27:39.060 --> 27:42.600]  Although Metasploit is also considered command and control.
[27:43.020 --> 27:46.560]  It's also pretty heavy on the exploit framework.
[27:47.020 --> 27:51.400]  But Cobalt Strike, Silent Trinity, PowerShell Empire.
[27:51.840 --> 27:56.200]  BC Security took over support of that and upgraded it to Python 3.
[27:56.520 --> 27:59.980]  And you can use Starkiller, which is a web front end to it.
[27:59.980 --> 28:04.640]  It makes it more similar to some of the other C2s that have a web front end.
[28:05.200 --> 28:07.240]  Or you can use these tools as a team.
[28:07.240 --> 28:08.720]  You can collaborate together.
[28:08.720 --> 28:11.360]  So you can collaborate on the same project.
[28:11.360 --> 28:14.240]  So these really work good for collaboration.
[28:14.580 --> 28:21.060]  And a shout out to Critical Start Team Ares with their Demios C2 that recently came out.
[28:21.060 --> 28:22.660]  It's written in Golang.
[28:23.680 --> 28:29.380]  They're adding new items to it, new features as it goes along.
[28:29.380 --> 28:30.720]  So it just recently came out.
[28:30.720 --> 28:31.960]  They're pretty excited about it.
[28:31.960 --> 28:33.940]  It looks like a really good tool.
[28:34.300 --> 28:36.340]  So you should check that out.
[28:36.340 --> 28:38.240]  It's a free tool. It's open source.
[28:38.240 --> 28:40.060]  It's like a lot of the other C2s.
[28:40.600 --> 28:42.120]  And operating systems.
[28:42.120 --> 28:44.880]  Slingshot OS or Slingshot Linux.
[28:44.880 --> 28:46.940]  You can find that on SANS.
[28:47.440 --> 28:54.220]  It's a good operating system for pentesting as well as red teaming.
[28:54.220 --> 28:56.840]  It has a lot of the C2s already installed.
[28:57.140 --> 29:01.980]  So actually Vector, I believe Vector is installed as well.
[29:02.220 --> 29:07.420]  Kali Linux and Parrot OS are good hacking options and Commando VM for Windows.
[29:07.420 --> 29:10.280]  So in red teaming, you're dealing a lot with Active Directory.
[29:10.280 --> 29:13.560]  So it's good to have a Windows box to test with.
[29:14.100 --> 29:16.140]  And resources and courses.
[29:16.300 --> 29:20.740]  So Hack the Box Pro as mentioned by Roster Labs.
[29:20.740 --> 29:22.780]  One of Roster Mouse's projects.
[29:22.860 --> 29:25.040]  Pentester Academy, Red Team Labs.
[29:26.020 --> 29:29.380]  And institute.sector7.net.
[29:29.380 --> 29:30.240]  This is a good course.
[29:30.240 --> 29:32.980]  They have relatively inexpensive.
[29:34.580 --> 29:39.900]  And I'm kind of listing some of these out based on the expense of the course.
[29:39.900 --> 29:43.860]  They have a course on malware writing for red teaming.
[29:43.860 --> 29:47.580]  They have a Privilege Escalation as well as another course.
[29:47.580 --> 29:48.520]  I can't think of it at the moment.
[29:48.520 --> 29:51.100]  But these three different courses build red team skills.
[29:51.100 --> 29:55.520]  And sometimes some courses may deal more on the red team side and less on the malware.
[29:55.800 --> 29:58.640]  With this course, they have good coverage of malware.
[29:58.800 --> 30:01.800]  So that's a good skill to develop.
[30:01.800 --> 30:03.440]  And they cover that in that course.
[30:03.500 --> 30:07.880]  And Zero Point Security of the Red Team Ops course by Roster Mouse.
[30:07.880 --> 30:10.000]  Which they actually have a certification for.
[30:10.020 --> 30:12.140]  This is a pretty cool environment.
[30:12.360 --> 30:14.420]  You have VPN access to it.
[30:14.460 --> 30:16.420]  They have Windows boxes in there.
[30:16.700 --> 30:22.840]  You're separated through a firewall so you're connecting in.
[30:23.720 --> 30:26.900]  So you have to send a phishing email to get on that system.
[30:26.900 --> 30:28.200]  So it's really cool.
[30:28.320 --> 30:31.480]  If you have the OSCP, you can just take the exam.
[30:31.480 --> 30:36.820]  But I didn't really want to miss out on the educational opportunity of going through the course fully.
[30:36.960 --> 30:38.740]  So that's currently what I'm working on.
[30:38.740 --> 30:41.000]  It's been a lot of fun so far.
[30:41.100 --> 30:42.380]  eLearn Security, as we mentioned.
[30:42.380 --> 30:44.740]  The Pentesting Extreme course.
[30:45.040 --> 30:46.580]  That one's a red team course.
[30:46.580 --> 30:47.620]  And they cover malware.
[30:47.620 --> 30:50.240]  So it's a really good, well-rounded course.
[30:50.240 --> 30:51.880]  Covers a lot of good materials.
[30:52.000 --> 30:54.180]  I haven't personally taken this course myself.
[30:54.180 --> 30:57.740]  But I've taken the eLearn Security Web App Pentesting course.
[30:57.740 --> 30:59.280]  And the Mobile Pentesting course.
[30:59.280 --> 31:00.780]  And the good quality courses.
[31:00.780 --> 31:04.540]  And they don't expect you to be an expert to be able to take these courses and learn from it.
[31:04.540 --> 31:10.720]  They start in enough detail that someone with technical experience can pick these up.
[31:10.800 --> 31:14.480]  And then the Spectre Ops, Adversary Tactics and Red Team Operations.
[31:14.720 --> 31:21.120]  I fortunately got to take a couple courses before COVID really started ramping up.
[31:21.200 --> 31:23.780]  And it caused us all to have to social isolate.
[31:23.780 --> 31:25.680]  But I got to attend this talk.
[31:26.140 --> 31:27.840]  Harmjoy was one of the presenters there.
[31:27.840 --> 31:30.900]  As well as some of the other gurus from Spectre Ops.
[31:30.900 --> 31:36.720]  But this course, if you've got Cobalt Strike, this is a really good way to learn Cobalt Strike.
[31:37.140 --> 31:39.240]  And use it as a Red Team Operator.
[31:39.760 --> 31:42.720]  Forty North has a couple good classes.
[31:43.100 --> 31:46.860]  Their initial access operations and intrusion operations.
[31:46.860 --> 31:50.060]  So they cover some malware in their course.
[31:50.060 --> 31:52.420]  As well as silent break security.
[31:52.420 --> 31:57.860]  They have a malware development course and the adversary simulation.
[31:58.300 --> 32:00.100]  So these are really great courses.
[32:00.400 --> 32:04.840]  And SANS Red Team Exercise and Adversary Emulation.
[32:04.840 --> 32:06.900]  This is a two-day course.
[32:07.080 --> 32:09.240]  And George Rochias teaches this.
[32:09.240 --> 32:11.560]  And it looks like a really good course.
[32:11.560 --> 32:18.400]  They get into the Red Team from building a team type perspective.
[32:18.400 --> 32:21.380]  As well as doing the technology piece.
[32:21.380 --> 32:24.580]  And then Cobalt Strike offers some free videos on their site.
[32:24.580 --> 32:28.880]  If you go to the training and support tab on the Cobalt Strike website.
[32:29.180 --> 32:31.220]  There's links to their YouTube page as well.
[32:31.220 --> 32:35.880]  So they've got all sorts of tools in Cobalt Strike that they teach you how to use.
[32:35.940 --> 32:39.660]  A lot of the tools are pretty easy to pick up on.
[32:39.660 --> 32:44.340]  But if you haven't had experience with C2s, then I highly recommend these videos.
[32:44.340 --> 32:47.440]  Because there's things that are done a little bit different with a C2.
[32:47.440 --> 32:52.920]  But they do a good job of covering the different tools that you can use within Cobalt Strike.
[32:52.920 --> 32:56.780]  And Cobalt Strike uses PowerShell and C Sharp tools pretty heavily.
[32:56.780 --> 33:02.560]  As well as other scripting languages and executable files.
[33:02.600 --> 33:04.440]  So that's a good resource out there.
[33:04.440 --> 33:10.940]  You get a good idea of how Red Teaming works from the Cobalt Strike video series as well.
[33:13.680 --> 33:15.500]  And resources and blogs.
[33:15.500 --> 33:20.820]  So here's a list of some blogs and resources that I've come across.
[33:20.820 --> 33:24.520]  I started dedicated Red Teaming back in November.
[33:24.520 --> 33:30.480]  So I've been doing a lot of research and studying to learn the Red Team side of things.
[33:30.700 --> 33:33.980]  So here's some good... the Red Team Journal is kind of an older blog.
[33:35.300 --> 33:37.800]  I don't think it's been updated lately.
[33:37.800 --> 33:39.760]  But there's a lot of good information on there.
[33:39.900 --> 33:44.120]  The Red Team Guide is based on the Red Team Guide book.
[33:44.120 --> 33:47.300]  But there's a lot of good documents on there on starting pen tests.
[33:47.300 --> 33:49.180]  And some of the different techniques.
[33:49.240 --> 33:51.620]  I mean Red Teaming techniques.
[33:52.000 --> 33:57.820]  And Thread Express is kind of a site related to the Red Team Guide.
[33:57.820 --> 34:01.400]  Same people. It was kind of their blog before they came out with the Red Team Guide.
[34:01.400 --> 34:02.720]  Good information there.
[34:03.780 --> 34:07.000]  Mike Bleeder's website along with his awesome tools.
[34:08.120 --> 34:10.940]  There's a lot of great information on his blog.
[34:10.960 --> 34:12.200]  Harmjoy's blog is great.
[34:12.200 --> 34:13.720]  B.C. Security.
[34:14.200 --> 34:15.840]  Spectra Ops.
[34:15.840 --> 34:16.860]  Rastamouse.
[34:16.860 --> 34:20.220]  Howsec is actually part of Spectra Ops.
[34:20.220 --> 34:21.780]  Silent Security's blog.
[34:21.780 --> 34:23.440]  Forty Moore's blog.
[34:23.560 --> 34:27.820]  And IRED.Team and Vincent Yu's blogs.
[34:27.820 --> 34:31.680]  These are some really good places to learn.
[34:31.680 --> 34:42.140]  And I've been using a lot of these resources as I'm going through the Rastamouse's Zero Security Red Team Ops course.
[34:43.300 --> 34:44.800]  There's some other books out there.
[34:44.800 --> 34:48.900]  So this is one of the books out here that recently came out.
[34:48.900 --> 34:50.140]  The Hacker's Playbook.
[34:50.140 --> 34:55.340]  If you've seen version 1 and 2, it's more pen testing related.
[34:55.340 --> 34:58.760]  But version 3 gets into Red Teaming.
[34:58.760 --> 35:01.520]  I highly recommend if you don't have version 2, get version 2.
[35:01.520 --> 35:06.360]  It's got a lot of good real world pen testing attack scenarios.
[35:06.580 --> 35:09.560]  So also the Red Team Development and Operations.
[35:09.560 --> 35:13.300]  This kind of shows you how to build a Red Team.
[35:13.320 --> 35:15.560]  And one of the authors is Joe Vest.
[35:15.560 --> 35:17.940]  He formerly worked with Spectra Ops.
[35:17.940 --> 35:24.360]  I got to meet him back during my Red Team training through Spectra Ops earlier this year.
[35:24.480 --> 35:25.720]  So it's a really good book.
[35:25.720 --> 35:32.620]  And they go through and show you some different checklists and stuff on how to perform Red Team operations.
[35:32.720 --> 35:36.940]  So it's a really good book even for management or people who manage Red Teams.
[35:36.940 --> 35:41.140]  I recommend this book because it kind of shows you how Red Team operations work.
[35:41.500 --> 35:45.180]  And then Hands-On Red Team Tactics, A Practical Guide to Mastering Red Team.
[35:45.200 --> 35:50.660]  This book actually covers some Cobalt Strike information.
[35:50.780 --> 35:57.360]  And this was recently recommended yesterday or actually Friday during one of the talks in Red Team Village.
[35:57.360 --> 36:01.620]  So it's a little more indicator that it's a good resource.
[36:01.760 --> 36:06.380]  But these are some good books out there as well as just pen testing books in general.
[36:06.380 --> 36:10.720]  Learning pen testing and certifications.
[36:10.720 --> 36:12.920]  There's not like a lot of certifications out there yet.
[36:13.000 --> 36:14.840]  And there may be more than this.
[36:14.840 --> 36:22.160]  I saw another Red Team cert that is more physically and more lock picking and more physical security related.
[36:22.160 --> 36:29.520]  But what you're going to need from, in most cases, what you would gain from Zero Point Securities cert,
[36:29.520 --> 36:37.920]  the skills that you would need for performing Red Teaming operations.
[36:37.920 --> 36:44.720]  While some of the physical stuff is important, you can take lock picking courses and learn physical security to kind of really get started.
[36:44.720 --> 36:47.000]  Especially if you have a pen testing background.
[36:47.000 --> 36:52.760]  And these three cert courses or the certs would be good to have.
[36:52.860 --> 36:59.140]  And some of these pen test focused certs from Offensive Security, SANS, and E-Learning Security.
[36:59.140 --> 37:04.660]  Offensive Security and the SANS certs are really good for getting your foot in the door as a pen tester.
[37:04.820 --> 37:06.560]  And good for getting pen testing jobs.
[37:06.560 --> 37:08.960]  The E-Learning Security is starting to gain more notoriety.
[37:08.960 --> 37:13.760]  They're really good courses and really well written and really well priced.
[37:13.760 --> 37:17.400]  If you don't have the money to, you know, your company won't put you through SANS training.
[37:17.400 --> 37:22.580]  Then Offensive Security and E-Learning Security, those certification courses are really good ones.
[37:22.600 --> 37:25.140]  As well as the Pen Tester Academy courses.
[37:26.860 --> 37:28.980]  And here's my contact information.
[37:29.640 --> 37:34.960]  I kind of got into teaching and presenting at conferences as a way to share.
[37:34.960 --> 37:38.320]  I used to mentor and still do mentor a lot of people.
[37:38.660 --> 37:41.640]  A lot of times just answering questions and sharing resources.
[37:41.880 --> 37:44.740]  So this stuff is my hobby. I live and breathe this stuff.
[37:44.880 --> 37:50.900]  So I'm always up to talk about this stuff, give career advice, and help out if you're having questions.
[37:51.020 --> 37:55.700]  There's my contact information. Feel free to contact me.
[37:57.840 --> 38:01.500]  And so that concludes my presentation.
[38:02.000 --> 38:04.420]  Awesome. Thank you so much, Phillip.
[38:04.420 --> 38:06.500]  As always, you have been amazing.
[38:06.500 --> 38:10.700]  And thank you so much for supporting the community and the Red Team Village as well.
[38:10.820 --> 38:16.300]  And for those of you that are online, please join the conversation in Discord.
[38:16.700 --> 38:19.240]  We have the link in the bottom of the screen.
[38:19.240 --> 38:24.780]  So in the description, whether you're in YouTube, in Periscope, or in Twitch.
[38:24.780 --> 38:25.880]  Please join us.
